Accessing Domain Controller from Local DSRM Account

Login with a local account on the domain controller is basically impossible, since then you are promoting member server to the domain controller (DC), the local accounts database (SAM) become inaccessible. However, this rule has one exception. In case of directory services problems on domain controllers, there is a special boot mode – Directory Services Restore Mode (DSRM).

This mode is used to perform Active Directory recovery operation in the following cases: when the Active Directory database is corrupted and needs to be repaired, AD database maintenance tasks (AD database compression, error analysis and so on), the rollback AD from backup/snapshot, restore individual objects or domain administrator password reset.

To access this mode, a special account DSRM Administrator is used, which is the only one local account on the domain controller.

How to set DSRM password

DSRM password is specified in the process of deploying (promoting) a member server to a domain controller.

However, it is not necessary to remember or write down DSRM passwords for all DCs. If it’s need, you can easily reset password by using ntdsutil utility. To reset the DSRM password, you must logon to the Domain controller (of course, as a Domain Administrator), and execute the commands:

If you need to change the DSRM administrator password on a remote DC, you can specify the server name in this way:

reset password on server DC3-name

On Windows Server 2008 SP2 (or higher), there is another way to set up the password for DSRM-admin – by copying (synchronizing) password with the domain account. To sync you can choose any existing user or create the new one.

Then you can localy access the domain controller by using the password of domain account. It is necessary to clarify that the synchronization procedure does not provide tracking of the user’s password changes in AD. For regular synchronization, you need to add the synchronization command to the startup scripts or to the Task Scheduler.

Can I login to the DC under DSRM administrator in normal mode?

In previous Windows versions the DSRM administrator can login on the domain controller only via booting in DSRM-mode. Starting from Windows Server 2008, the Active Directory Domain Services can be stopped from the services snap-in (services.msc), without need to reboot. Accordingly, the DSRM Administrator now has the ability to connect to the domain controller in normal (not DSRM) mode.

To activate this feature, you can use a small registry trick on the domain controller. We are interested in DWORD parameter DsrmAdminLogonBehavior, located in the registry branch HKLM\System\CurrentControlSet\Control\Lsa. DsrmAdminLogonBehavior can have one of the following values: